Anatomy of a Ransomware Attack: How to Respond to a Ransom Request

Ransomware email

All around the world, public and private organizations1 of every shape and size are being targeted by the advanced technologies and criminal motivations of cyber threat actors. Globally, we are facing a digital crimewave unlike anything else we have observed since the rise of mass telecommunications technologies.

At the center of the vast digital crimewave the world is facing is a Crimeware as a Service2 (CaaS) variant known as Ransomware that has been unleashed to devastating results in nearly every country on Earth.

“The most important thing to know about ransomware is that it is typically delivered through emails that have malicious links or payloads”,says inSOC Chief Information Officer Jeff Gulick. 

“It is also delivered through malicious websites that are accessed through clickbait, which are those ads you see along the sides of websites. These malicious sites are trying to target a person’s interests whether it be sexual content, political leanings, or weight loss, for example. Ransom is the most effective way for cybercriminals to earn revenues.”

Since 2012, when Symantec3 first used data from a command and control (C2) server of 5,700 computers compromised in a single day, they were able to estimate that approximately 2.9% of compromised users paid the ransom. With an average ransom of $200, this meant malicious actors could profit $33,600 per day, or $394,400 per month, from a single compromised C2 server. These rough estimates demonstrated to would-be criminals just how profitable ransomware could be.

Since 2013, ransomware variants such as CLOP4, Conti5, CryptorBit, CryptoLocker, Cring6, REvil7, Locky, Maze8, Nephilim, Ryuk9, Sodinokibi, XORIST, and Tycoon have been used alongside other hacking tools such as GameOverZeus10 and Cobalt Strike11 to target every type of public and private organization imaginable.

This has placed a particularly unique strain on managed service providers (MSPs) and managed security service providers (MSSPs). Responsible for safeguarding digital networks, protecting cloud-based assets, and ensuring that every type of public and private organization is able to sustainably stay online, MSPs and MSSPs are increasingly finding their own networks within the crosshairs of ransomware attackers.

Information security analysts have found that if the global value of cybercrime, worth $6 trillion USD in 2021 were a nation, it would be the third largest economy in the world behind the United States and China. As staggering as that may be, current projections estimate that as soon as 2025, with 15% annual growth, the market for crimeware-as-a-service solutions could reach as high as $10.5 trillion USD.

Ransomware attacks are on the rise and every organization in the world should be highly motivated to take precautionary actions to protect the information driving their success from falling into the hands of cyber threat actors. In this article, we will explore the anatomy of a modern ransomware attack and offer actionable insights about how to respond if your MSP or MSSP is targeted by cyber threat actors using a ransomware variant.

Anatomy of a Ransomware Attack: Quantifying the Impact of Cybercrime Against MSPs and MSSPs

Ransomware is a diverse and ever-growing family of software that includes many unique variants that have been unleashed to devastating effects against every type of industry, organization, and government found in the world today.

However, if we consider the impacts of just the single DarkSide ransomware variant, it becomes abundantly clear why MSPs and MSSPs ought to be placing advanced cybersecurity technologies such as Open-XDR and policies and procedures such as weekly vulnerability scanning at the center of their efforts to counter ransomware attacks.

The DarkSide ransomware variant was used to attack the Colonial Pipeline , Toshiba Tec France Imaging Systems , a Scottish construction company, a Brazilian reseller of renewable energy solutions, and a reseller of technology services that could be described as an MSP/MSSP among many other organizations around the world. The DarkSide ransomware attack against the technology reseller was able to result in a data breach of more than 600 gigabytes of sensitive information, including passwords, financial information, HR information and employee passports from it, according to CNBC14;.

MSPs and MSSPs15 represent extremely lucrative targets for ransomware gangs because they are responsible for safeguarding other organization’s sensitive data. This is precisely what has made the 2020 SolarWinds data breach16; such a catastrophic event for all of the federal government agencies and private sector organizations connected. Due to SolarWinds’ presence as a federal contractor, cyber espionage campaigns carried out using its resources allowed criminal organizations to gain lateral access (so called supply chain breach) to many additional organizations as a result of the successful use of a single attack vector.

Ransomware attacks create an extremely challenging situation for both MSPs and MSSPs as well as for the clients who trust them to protect the data driving their success. For this reason, it is absolutely essential that service providers take ransom threats seriously and respond in the most pragmatic ways possible.

In the following section, we will explore the recent research literature around how companies should respond to ransomware attacks.

How to Respond to Ransomware Requests

In the blink of an eye all of your systems go down. Your employees cannot access their files, you have no access to your email servers, and the frameworks supporting your platforms, products, and services all come grinding to a halt… it sounds like you might be experiencing a ransomware attack.

Suddenly, a key decision-maker within your organization receives a cryptic message demanding that a fee of millions of dollars be paid or your organization will lose access to all of its data. Believe it or not, though this scenario might sound like something taken out of a James Bond film, it is the reality that many organizations are facing in 2021.

It is never okay to pay the ransom. You pay the ransom and you are going to be put on a sucker list. And it’s the worst kind of sucker list, where the criminal organizations keep coming back and targeting you, because they know you will keep paying, says Gulick. 

“This is why the FBI will not negotiate with hostage takers. It’s the same principle.”

Of course, it might be very tempting to simply pay the ransom fee demanded to be able to retrieve access to your data, there is just one little problem with that logic: according to a comprehensive study carried out by cybersecurity research organization Kaspersky Labs17, though 56% of the 15,000 international organizations queried admitted to paying out ransoms, nearly 20% did so without ever regaining access to their data.

Instead, criminal organizations were able to retrieve a lucrative payout, capitalise on all of that stolen information, and became further emboldened to continue their scheme in search of higher payouts. In general, it is never a good idea to play a dangerous game with cyber criminal organizations and instead, we recommend that you contact local law enforcement officials before capitulating to any ransom demands placed by cyber threat actors. It is important for you to know, that in some situations, working with cyber threat actors to pay out ransomware fees could constitute a criminal action in and of itself.

According to a research report The State of Ransomware 202118, the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021. The average ransom paid is $170,404. This report’s global findings also show that only 8% of organizations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data back.

Consider the following statistics when considering whether or not it is prudent to pay a ransomware fee:

  • The average cost of mitigating a ransomware attack doubled over the last 12 months. In 2020, the average cost of $761,106 has grown to $1.85 million in 2021. This means that the cost to fully remediate a ransomware attack is 10 times higher than typical ransom fees charged in this attack. Though this may read like an endorsement for paying ransom fees, consider that the remediation costs exist with or without a ransom fee being paid.
  • In 2021, the average ransom fee paid out was $170,404. Though $3.2 million was the highest amount paid out among the organizations surveyed. The most common amount paid out was $10,000 with more than 10 organizations paying more than $1 million in ransomware fees. 
  • In 2020, 26% of organizations paid our ransom fees and in 2021 that increased to 32% though only 8% of these organizations were able to safely retrieve all of their data after paying ransomware fees.

Many recent ransomware variants such as DearCry19 and Black Kingdom20 used such low-quality coding techniques that recovering data from these attacks is basically impossible using existing technological resources. More than 54% of organizations surveyed believe that their existing IT departments do not have the know-how or expertise to be able to successfully ensure that a cybersecurity kill-chain is in place to safeguard data. 

Though it will be important for each organization affected by a cybercrime event to consider how it should respond, there is a mounting body of evidence to suggest that paying out ransomware fees is at best a very risky and imprecise means of securing compromised data and at worst, could expose organizations to additional reputational and legal challenges.

Prevention Starts at Home: How to Safeguard Your Organization Against Ransomware Attacks

Preventing emerging cybercrime threats such as ransomware requires having a clear understanding about where your organization is most vulnerable. A baseline evaluation of your networks, systems, platforms, and general IT environment is a great starting point that could be further enhanced with penetration testing and other more advanced methods.

First you need to assess and establish a baseline. All of this could be compiled in the form of security maturity assessment or risk analysis report,” says Gulick

The first thing you want to do is take a good long look in the mirror. Be safe, be secure, be proactive because ultimately, it costs a lot more money to be reactive to cyber threats.”

Arriving at a baseline understanding of your organization’s cybersecurity advantages and blindspots requires integrated decision-making between your information technology (IT) leads and other key business divisions in your organizations. Though IT is responsible for managing the systems your company relies on, ultimately investing in cybersecurity is a business choice and to help strengthen it, we recommend implementing adequate change and review processes to be able to consistently check security progress in pursuit of structured and measurable goals.

You don’t have to secure yourself like Fort Knox. The goal is to reduce the threat surface. With security, there should be several layers of protection,” says Gulick

One of those layers of protection is anti-virus and anti-malware and each layer is going to protect you a percentage of the time. Nothing is foolproof.

One of the strongest means of invigorating your cybersecurity efforts is to design effective policy frameworks and governance structures that mandate how your employees should respond to typical cyber threat situations. Consistent effort should be placed on on-boarding new team members, offering additional training for existing staff, and ensuring that all team members are consistently following data security best practices.

I think companies are surprised by the fact that they need to have policies and that those policies need to be written and reviewed. They believe that by simply having an agreed upon policy that they’ve talked about informally in a meeting is enough, but it’s not.” says Gulick.

In order to hold people accountable to a certain level of compliance with the policies, it has to be written, and approved. These things have to come down from the top, from senior leadership who are the ones defining the business rules.

Security threat assessments, data security training programs, and corporate frameworks for cybersecurity policies need to be addressed on a consistent basis. These are ongoing initiatives that need to gain prominence in your organizational culture. It is important for all members of every business division to understand the immense opportunities and challenges that come from enhancing cybersecurity and applying actionable insights to prevent attacks like ransomware.

inSOC specializes in offering Security Operations Centre as a service (SOCaaS) for MSPs and MSSPs. As part of a layered cyber defense approach, inSOC’s turnkey solution empowers your organization to gain 24/7 real-time insights into emerging cyber threats. Our multilayered intrusion detection and vulnerability management systems form the foundation of the preventative measures your organization can take to protect your investments.

MSPs and MSSPs are under constant attack from advanced cyber criminals and state-backed organizations, inSOC provides the enterprise security operations resources your team needs to stay ahead and keep on top.

Every 11 seconds another organization in the world is hit with a ransomware attack. Is yours prepared?

Ready to get started? Perfect! inSOC is here to help. Schedule a demo today to learn about how we can help you protect your organization against ransomware and other hi-fidelity threats.